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I Abstract 

I We give a simple condition for a linear recurrence (mod 2™) of degree r to have the 

. maximal possible period 2™~^(2'' — 1). It follows that the period is maximal in the cases 

' of interest for pseudo-random number generation, i.e. for 3-term linear recurrences defined 

^-H ' by trinomials which are primitive (mod 2) and of degree r > 2. We consider the enumera- 

I tion of certain exceptional polynomials which do not give maximal period, and list all such 

• . polynomials of degree less than 15. 

^ ■ 

a , 

g ■ 1 Introduction 

^ ■ The Fibonacci numbers satisfy a linear recurrence 

^ ■ Fn = Fn-l + Fn-2- 

m '. 

T^lj- . Generalized Fibonacci recurrences of the form 

in ; 

! Xn = ±Xn-s ± Xn-r mod 2"" (1) 

o ■ 

Q I are of interest because they are often used to generate pseudo-random numbers [1, 5, 6, 11, 13, 

^ ■ 171. We assume throughout that xq, . . . ,Xr-i are given and not all even, and w > is a fixed 

* * I 

^> . exponent. Usually w is close to the wordlength of the (binary) computer used. 

Apart from computational convenience, there is no reason to restrict attention to 3-term 
■ recurrences of the special form (1). Thus, we consider a general linear recurrence 

qoXn + qiXn+1 H 1- qrXn+r = mod 2'^ (2) 

defined by a polynomial 

Q{t) = qo + qit + ... + Qrf (3) 

of degree r > 0. We assume throughout that go and qr are odd. qo odd implies that the sequence 
(x„) is reversible, i.e. x„ is uniquely defined (mod 2^") by Xn+i, • ■ ■ ,Xn+r- Thus, (x„) is purely 
periodic [19]. 

In the following we often work in a ring Zm[t]/Q{t) of polynomials (mod Q) whose coefficients 
are regarded as elements of Zm (the ring of integers mod m). For relations A = B in Zm[t]/Q{t) 
we use the notation 

A = B mod {m,Q). 
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It may be shown by induction on n that if an,o, • • • , CLn,r-i are defined by 

r-l 

*" = E«n,i*' mod (2^,Q(t)) (4) 

j=0 

then 

r-l 

x„ = ^ o,n,jXj mod 2"'. (5) 
i=o 

Also, the generating function 

Git) = J2xnt^ (6) 

n>0 

is given by 

G{t) = mod 2"", (7) 

where 

fc=0 \j=0 J 

is a polynomial of degree less than r, and 

Q{t) = fQ{l/t) = qof + qif-^ + ... + Qr 

is the reverse of Q. In the literature, is sometimes called the characteristic polynomial [4] 
or the associated polynomial [19] of the sequence. The use of generating functions is convenient 
and has been adopted by many earlier authors (e.g. Schur [15]). Ward [19] does not explicitly 
use generating functions, but his polynomial U is the same as our Q, and many of his results 
could be obtained via generating functions. 

Let pyj be the period of t under multiplication mod (2"',Q(i)), i.e. pw is the least positive 
integer p such that 

tP = l mod (2"',Q(t)). 

In the literature, pw is sometimes called the principal period [19] of the linear recurrence, some- 
times simply the period [4]. For brevity we define \ = pi. 

An irreducible polynomial in Z2[t\ is a factor of t^"^ — t (see e.g. [18]), so \\2^ — 1. We say 
that Q{t) is primitive (mod 2) if A = 2'' — 1. Note that primitivity is a stronger condition 
than irreducibility^ , i.e. Q{t) primitive implies that Q{t) is irreducible, but the converse is 
not generally true unless 2'' — 1 is prime^. Tables of irreducible and primitive trinomials are 
available [4, 10, 14, 16, 20, 22, 23, 24, 25]. 

In the following we usually assume that Q{t) is irreducible. Our assumption that and qr 
are odd excludes the trivial case Q{t) = t, and implies that Q{t) is irreducible (or primitive) of 
degree r iff the same is true of Q{t). 

We are interested in the period pyj of the sequence (x„), i.e. the minimal positive p such that 



(8) 



for all sufficiently large n. In fact, because of the reversibility of the sequence, (8) should hold 
for all n > 0. The period is sometimes called the characteristic number of the sequence [19]. 



^For brevity we usually omit the "(mod 2)" when saying that a polynomial is irreducible or primitive. Thus 
"Q{t) is irreducible (resp. primitive)" means that Q{t) mod 2 is irreducible (resp. primitive) in Z2[t]. 

^For example, the polynomial 1 + t + t^ +1''' + is irreducible, but not primitive, since it has A = 21 < 2® — 1. 
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In general the period depends on the initial values xq, . . . , Xr-i, but under our assumptions the 
period depends only on Q{t), in fact Pw = pw (see Lemma 2). 
It is known [7, 12, 19] that 

Pw < 2"'-'A 

with equality holding for all w > iff it holds for w = 3. The main aim of this paper is to give 
a simple necessary and sufficient condition for 

Pw = 2"-^A. (9) 

The result is stated in Theorem 2 in terms of a simple condition which we call "Condition S" 
(see Section 2). In Theorem 3 we deduce that the period is maximal if Q(t) is a primitive 
trinomial of degree greater than 2. Thus, in cases of practical interest for pseudo-random 

number generation^, it is only necessary to verify that Q(t) is primitive. This is particularly 
easy if 2*" — 1 is a Mersenne prime, because then a necessary and sufficient condition is 

t^'' =t mod {2,Q{t)). 

The basic results on linear recurrences modulo m were obtained many years ago - see for 
example Ward [19] . However, our main results (Theorems 2 and 3) and the statement of "Con- 
dition S" (Section 2) appear to be new. 

2 A Condition for Mgiximal Period 

The following Lemma is a special case of Hensel's Lemma [7, 8, 21] and may be proved using an 
application of Newton's method for reciprocals [9]. 

Lemma 1 Suppose that P{t) mod 2 is invertible in Z2[t]/Q{t). Then, for all w > 1, P{t) mod 
2"" is invertible in Z2w[t\/Q{t). 

We now give a sufficient condition for the periods Pw and to be the same. 

Lemma 2 IfQ{t) is irreducible of degree r and at least one oJxq,... ,Xr-i is odd, thenpw = Pw- 



Proof 

For brevity we write p = Pw and p = Pw- From (6), 

G(t) = mod 2"', 

where R(t) has degree less than p. Thus, from (7), 

R{t)Q{t) = (1 - tP)P{t) mod 2"'. (10) 

Now P{t) mod 2 has degree less than r, but is not identically zero. Since Q{t) mod 2 is irreducible 
of degree r, application of the extended Euclidean algorithm [7] to P{t) mod 2 and Q{t) mod 2 
constructs the inverse of P(t) mod 2 in Z2[t]/Q{t). Thus, Lemma 1 shows that P{t) mod 2^ is 
invertible in Z2'w[t]/Q{t). It follows from (10) that 

tP = l mod (2"',Q(t)), 

''A word of caution is appropriate. Even when the period Pu, satisfies (9), it is not desirable to use a full cycle 
of Pw numbers in applications requiring independent pseudo-random numbers. This is because only the most 
significant bit has the full period. If the bits are numbered from 1 (least significant) to w (most significant), then 
bit k has period pk ■ 
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and p\p. However, from (4) and (5), p\p. Thus p = p. □ 

As an example, consider Q(t) = 1 — t + t'^. We have = 1 mod (2,Q{t)), = —1 mod Q{t), 
and = I mod Q{t), so 

p^ = ia ^J""^!' (11) 

^ 1 6, if > 1. ^ ^ 

It is easy to verify that (11) gives the period of the corresponding recurrence 

Xn = Xn^i - Xn-2 mod 2*" 

provided xq and xi are not both even. 

The assumption of irreducibihty in Lemma 2 is significant. For example^, consider Q{t) = 
— I and w = I, with initial values xq = xi = 1. The recurrence is Xn = Xn-2 mod 2, so pi = 1, 
but pi = 2. Here P{t) = 1 + Hs a divisor of Q{t) = l- t^. 

We now define a condition which must be satisfied by Q{±t) if the period p^ of the sequence 
(xn) is less than 2"'~-'^A (see Theorem 2 for details). For given Q{t) the condition can be checked 
in O(r^) operations^. This is much faster than the method suggested by Knuth [7] or Marsaglia 
and Tsay [12], which involves forming high powers of r x r matrices (mod 8). 

Condition S 

Let Q{t) = J2^=oqjt^ be a polynomial of degree r. We say that Q{t) satisfies Condition S if 

Q{tf + Q{-tf = 2qrQ{t^) mod 8. 

Lemma 3 gives an equivalent condition^ which is more convenient for computational pur- 
poses. The proof is straightforward, so is omitted. 

Lemma 3 A polynomial Q(t) of degree r satisfies Condition S iff 



X! Wk = em mod 2 (12) 

j- 

for < m < r, where 



j+k=2m 
0<j<k<r 



As an exercise, the reader may verify that the polynomial Q{t) = 1 — t + t^ satisfies both 
the definition of Condition S and the equivalent conditions of Lemma 3. For other examples, 
see Table 1. 

For convenience we collect some results regarding arithmetic in the rings Z2^[t]/Q{t). 
Lemma 4 Let X(t) and Y{t) be polynomials over Z. Then, for w > 1, 

X = Y mod (2^, Q) ^ X"^ = Y'^ mod (2"'+\ Q). (14) 
Also, if Q(t) is irreducible, then 

= y2 mod (2, Q)^X^ = Y"^ mod (4, Q) (15) 

and 

X^ = Y^ mod (8, Q)^X = ±Y mod (4, Q). (16) 



®We thank a referee for suggesting this example. 

®0(r log r) operations if the FFT is used to compute the convolutions in (12). 
'^For another equivalent condition, see (17) and (25). 
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Proof 

lfX = Y mod (2"", Q) then X = Y + 2'"R mod Q for some polynomial R{t) in Z[t]. Thus 
X2 = y2 _^ 2'"+^R{Y + 2"'-ii?) mod Q, and (14) follows. 

Now suppose that Q{t) is irreducible. If = Y'^ mod (2, Q) then (X -Yf = {) mod (2, Q). 
Since Q is irreducible, it follows that X = Y mod (2, Q). Thus, from (14), X"^ = Y"^ mod (4, Q), 
and (15) follows. 

Finally, if Q is irreducible and = mod (8, Q) then, as in the proof of (15), we obtain 
X = Y mod (2, Q), so X = y + 2R mod Q, where R{t) is some polynomial in Z\t\. Thus 
AR{Y + i?) = mod (8, Q), i.e. R{Y + i?) = mod (2, Q). Since Q is irreducible, either 
i? = mod (2, Q) or F + i? = mod (2,(5). In the former case X = Y mod (4,(5), and in 
the latter case X = — y mod (4, Q). Thus X = ±Y mod (4, Q). The implication in the other 
direction follows from (14). This establishes (16). □ 

The following Theorem is the key to the proof of Theorem 2. There is no obvious general- 
ization to odd moduli. 

Theorem 1 Let Q{t) mod 2 be irreducible in Z2[t]. Then 

t^ = -l mod (4,(5 (t)) 
iff Q{t) satisfies Condition S, and 

t^ = 1 mod (4, Q{t)) 

iff Q{—t) satisfies Condition S. 

Proof 

Let 

Lr/2J L(r-1)/2J 

Vit) = <l2jt\ Wit) = Yl 

j=0 j=0 

SO Q{t) splits into even and odd parts: 

Q{t) = V{t^) + tW{t^). (17) 
By the definition of A, t = mod (2, Q{t)), so 

V{t'^) = t^+^W{t^) mod (2, Q{t)). (18) 
Because ^(t^) = X{t)'^ mod 2 for any polynomial X{t) in Z[t], (18) may be written as 

V{tf =t^+^W{tf mod(2,Q(t)). (19) 
A, being a divisor of 2'' — 1, is odd, so is a square. Thus, from (15), 

V{tf =t^+^W{tf mod(4,Q(t)). (20) 
Also, since V{t) = V{-t) mod 2 and W{t) = W{-t) mod 2, we have 

V{-tf = t^+^W{-tf mod(4,Q(i)). (21) 
To prove the first half of the Theorem, suppose that 

t^ = -l mod(4,Q(t)). (22) 
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Thus, from (20), 

V{tf + tW{tf = mod (4, Q{t)). (23) 

It follows that 

V{tf +tW{tf -qrQ{t) =0 mod (4,Q). (24) 
However, the left hand side of (24) is a polynomial of degree less than r. Hence 

V{t)'^ + tW{t)'^ - QrQit) = mod 4. (25) 

Replace t by in the identity (25). From (17), the result is easily seen to be equivalent to Q{t) 
satisfying Condition S. 

To prove the converse, suppose that Q{t) satisfies Condition S. Reversing our argument, (23) 
holds. Thus, from (20), 

(t^+^ + t)W{tf = mod (4, Q{t)). 

Now W{t) has degree less than r, and W{t) ^ mod 2 because otherwise, from (17), Q{t) = 
V{t)'^ mod 2 would contradict the irrcducibility of Q{t). Thus, W{t) mod 2 is invertible in 
Z2[t\/Q{t). From Lemma 1, W{t) mod 4 is invertible in Z4[t]/Q{t), and we obtain 

t^+^+t = mod {4, Q{t)). 

Since Q{t) ^ t mod 2, we can divide by t to obtain 

t^ = -l mod (4,(5(t)). 

This completes the proof of the first half of the Theorem. 

The proof of the second half is similar, with appropriate changes of sign. Suppose that 

t^ = l mod(4,Q(i)). (26) 

From (21), 

V{-t)^ = tW{-tf mod(4,Q(i)). (27) 
Thus, instead of (25) we obtain 

V{-tf - tW{-t)'^ - {-lyqrQit) = mod 4. (28) 

Replace t by —t^ in the identity (28). The result is equivalent to Q{—t) satisfying Condition S. 
The converse also applies: if Q{—t) satisfies Condition S then, by reversing our argument and 
using irrcducibility of Q{t), (26) holds. □ 

We are now ready to state Theorem 2, which relates the period of the sequence (x„) to 
Condition S. It is interesting to note that, in view of Theorem 1, Theorem 2 is implicit in 
the discussion on page 628 of Ward [19]. More precisely. Ward's case T > 1 corresponds to 
Q{—t) satisfying Condition S, while Ward's case (T = 1, K{x) = 1 mod 2) corresponds to Q{t) 
satisfying Condition S. However, Ward's exposition is complicated by consideration of odd prime 
power moduli (see for example his Theorem 13.1), so we give an independent proof. 

Theorem 2 Let Q{t) be irreducible and define a linear recurrence by (2), with at least one of 
xo, . . . iXr-i odd. Then the sequence (a;„) has period 

Pw < 2'"-'A 

for all w >2 if Q{—t) satisfies Condition S, 

Pro < 2"'-'A 
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for all w >3 if Q{t) satisfies Condition S, and 

for all w > 1 iff neither Q{t) nor Q{—t) satisfies Condition S. 
Proof 

Prom Lemma 2, pyj = pyj is the order of t mod (2"',Q(t)). If Q{—t) satisfies Condition S 
then, from Theorem 1, 

t^ = l mod (4,g(t)). 
Using (14), it follows by induction on w that 

t2'""'^ = l mod (2'^,Q(t)) 

for all w > 2. This proves the first part of the Theorem. The second part is similar, so it only 
remains to prove the third part. 

Suppose that pw = 2^~^A for all > 0. In particular, for u; = 3 we have period p3 = 4A. 
Thus 

^ 1 mod (8, Q{t)) 

and, from (16), 

t^^±l mod(4,Q(t)). (29) 

From Theorem 1, neither Q{t) nor Q{—t) can satisfy Condition S, or we would obtain a contra- 
diction to (29). 

Conversely, if neither Q{t) or Q{—t) satisfies Condition S, then we show by induction on w 
that 

^2™-iA ^ ^ ^ mod Q{t), (30) 

where 

i?^7^0 mod(2,Q(i)), (31) 

for all w > 1. Certainly 

t^ = l mod(2,Q(t)) 

but, from Theorem 1, 

t^^l mod(4,Q(t)), 
so (30) and (31) hold for = 1. Defining 

Rw = Rw-i{^ + 2*" ^Ryj-i) (32) 

for u; > 2, we see that (30) holds for all u; > 1. It remains to prove (31) for w > I. For w = 2, (31) 
follows from Theorem 1 and (16), because t^ ^ ±1 mod (4, Q{t)) implies t^'^ ^ 1 mod (8, Q{t)). 
For u; > 2, (31) follows by induction from (32), since 2^""^ is even. It follows that 

Pw = 2"'-^A 

for all w > I. □ 
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3 Primitive Trinomials 



In this section we consider a case of interest because of its applications to pseudo-random number 
generation: 

Q{t) = qo + Qst' + qrf 

is a trinomial (r > s > 0). Theorem 3 shows that the period is always maximal in cases of 
practical interest. The condition r > 2 is necessary, as the example Q{t) = 1 — t + Section 2 
shows. 

Theorem 3 Let Q{t) be a primitive trinomial of degree r > 2. Then the sequence defined 
by (2) (with at least one of xq, . . . ,Xr-i odd) has period Pw = 2^~^(T' — 1). 

Proof 

Prom Theorem 2 it is sufficient to show that Q{t) does not satisfy Condition S. (Since Q{—t) 
is also a trinomial, the same argument shows that Q{—t) does not satisfy Condition S.) 

Suppose, by way of contradiction, that satisfies Condition S. We use the formulation of 
Condition S given in Lemma 3. Since Q{t) is irreducible, go = 9s = 9r = 1 mod 2. If s is even, 
say s = 2m, then 

9j1k = qoQs = 1 mod 2, 

j+k=2m 
0<j<k<r 

SO Em 7^ 0, and (13) implies that qm ^ 0. Since < m < s < r, this contradicts the assumption 
that Q{t) is a trinomial. Hence, s must be odd. 

If r is odd then r + s is even, and a similar argument shows that q(r+s)/2 0) contradicting 
the assumption that Q{t) is a trinomial. Hence, r must be even. 

Taking m = r/2, we see that 7^ 0, so Qm ^ 0. This is only possible if m = s, so 

Q{t) = t^' + f + 1 mod 2. 

In this case t^* = 1 mod {2,Q{t)). Now r = 2s > 2, so 3s < 2^ - 1, and Q{t) can not be 
primitive. This contradiction completes the proof. □ 
A minor modification of the proof of Theorem 3 gives: 

Theorem 4 Let Q{t) = qo + qst^ + qrt^ be an irreducible trinomial of degree r ^ 2s. Then the 
sequence (xn) defined by (2) (with at least one of xq, . . . ,Xr-i odd) has period p^ = 2'^~^X. 

As mentioned above, it is easy to find primitive trinomials of very high degree r if 2'' — 1 is 
a Mersenne prime. Zierler [24] gives examples with r < 9689, and we found two examples with 
higher degree: t^^'^^^ + 1^^*"^ + 1 and t^^^"^ + 1^'^^^ + 1. These and other examples with r < 44497 
were found independently by Kurita and Matsumoto [10]. Such primitive trinomials provide 
the basis for fast random number generators with extremely long periods and good statistical 
properties [3]. 

4 Exceptional Polynomials 

We say that a polynomial Q{t) of degree r > 1 is exceptional if conditions 1-3 hold and is a 
candidate if conditions 2-3 hold - 

1. Q(t) mod 2 is primitive. 

2. Q{t) has coefficients qj G {0, —1, +1}, and qo = qr = 1- 
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3. Q{t) satisfies Condition S. 

By Theorem 2, if Q{t) is exceptional then Q{t) and Q{—t) define simple linear recurrences 
(mod 2^") which have less than the maximal period for w > 2. 

Only the coefficients of Q{t) mod 4 are relevant to Condition S. If condition 2 is relaxed 
to allow coefficients equal to 2 then, by Lemma 3, there is one such Q(t) corresponding to 
each primitive polynomial in Z2[t]. With condition 2 as stated the number of these Q{t) is 
considerably reduced. 

It is interesting to consider strengthening condition 2 by asking for certain patterns in the 
signs of the coefficients. For example, we might ask for polynomials Q{t) with all coefficients 
Qj G {0, 1}, or for all coefficients of ±Q{—t) to be in {0, 1}. There are candidates satisfying 
these conditions, but we have not found any which arc also exceptional, apart from the trivial 
Q{t) = 1 — t + t'^. It is possible for an exceptional polynomial to have {—lyqj > for < j < r. 
The only example for 2 < r < 44 is 

= 1 _ t + ^2 _ ^5 + ^6 + ^8 _ ^9 + ^10 + ^12 _ ^13 + ^16 + ^18 + ^21 _ 

Observe that Q{—t) defines a linear recurrence with nonnegative coefficients 

Xn+21 =Xn + Xn+1 + Xn+2 + Xn+5 + Xn+6 + Xn+8 + Xn+9 + Xn+lO + Xn+12 + Xn+13 + Xn+W + Xn+18 

which has period P2 = Pi = 2^^ — 1 when considered mod 2 or mod 4. 

In Table 1 we list the exceptional polynomials Q{t) of degree r < 14. If Q(t) is exceptional 
then so is Q{t). Thus, we only list one of these in Table 1. 

The number z/(r) of exceptional Q{t) (counting only one of Q{t),Q{t)) is given in Table 2. 
The term "exceptional" is justified as z/(r) appears to be a much more slowly growing function 
of r than the number [4] 

A2(r) = 99(2--l)/r 

of primitive polynomials of degree r in Z2[t] (where (p is Euler's totient-function) or the total 
number of polynomials of degree r with coeflficients in {0, —1, +1}. Heuristic arguments suggest 
that the number K{r) of candidates should grow like (3/2)'" and that i^(r) should grow like 
(3/4)''A2(r). The arguments are as follows - 

There are 2'^~^ polynomials Q{t) of degree r with coefficients in {0, 1}, satisfying 
Qo = Qr = ^- Randomly select such a Q{t), and compute eo, ei, . . . , from 

Wk = Cm mod 2 

j+k=2m 
0<j<k<r 

Extend Q{t) to a polynomial Q{t) with coefficients € {—1,0, 1,2} such that 

Qm = Qm mod 2 and (13) is satisfied for < m < r. The (unique) mapping is given 

by 

Qm = Qm + 2e^ mod 4. It is easy to see that qo = Qr = 1. If we assume that each 
for 1 < m < r has independent probability 1/4 of assuming the "forbidden" value 2, 
then the probability that Q{t) is a candidate is (3/4)''~-'^. Thus, 

K{r) ~ (3/2)'-^ 

The argument is not strictly correct. For example, it gives a positive probability 
that qi = 0, q2 = 1, but this never occurs for r > 2. However, the argument does 
appear to predict the correct order of magnitude of K{r). 
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The probability that a randomly chosen Q{t) with qq = Qr = 1 is primitive is just 
X2{r) /2'^~^ . If there is the same probability that a randomly chosen candidate is 
primitive, then the number of primitive candidates should be (3/4)*~^A2(r), and 
u{r) should be half this number. 

In Table 2 we give 

u{r) — 



the numerical evidence suggests that i>{r) converges to a positive constant //(oo) as r — ?> oo. 
However, i/(oo) is less than the value 2/3 predicted by the heuristic argument. Our best estimate 
(obtained from a separate computation which gives faster convergence) is 

iy{oo) = 0.45882 ± 0.00002 

The computation of Table 2 took 166 hours on a VaxStation 3100. We outline the method 
used. It is easy to check if a candidate polynomial is exceptional [7] . A straightforward method 
of enumerating all candidate polynomials of degree r is to associate a polynomial Q{t) such that 

= 9r = 1 with an (r — l)-bit binary number N = bi - ■ ■ br-i, where bj = qj mod 2. For each 
such A^, compute eo, . . . , from (12). Now (13) defines qo, . . . ,qr mod 4. If there is an index m 
such that em = 1 mod 2 but Qm = ^ mod 2, then (13) shows that = 2 mod 4, contradicting 
condition 2. The straightforward enumeration has complexity 0(2''), but this can be reduced 
by two devices - 

1. If (13) shows that = 2 mod 4 for some m < r/2, we may use the fact that em in (12) 
depends only on qg,. . . , q2m to skip over a block of 2^~'^'^~^ numbers N . By an argument 
similar to the heuristic argument for the order of magnitude of ^{r), with support from 
empirical evidence for r < 40, we conjecture that this device reduces the complexity of the 
enumeration to 



2. Fix s, < s < r. Since e^-m in (12) depends only on qr-2m, • • • , Qr; we can tabulate those 
low-order bits brs ■ ■ ■ K-i which do not necessarily lead to condition 2 being violated for 
some qr-m, 2m < ,s. In the enumeration we need only consider N with low-order bits in 
the table. We conjecture that this reduces the complexity of the enumeration to 



provided care is taken to generate the table efficiently. 

The two devices can be combined, but they are not independent. The complexity of the 
combination is conjectured to be 

'ON (6r+5s)/12\ / /ox5s/12N 



O r'^T' 



4/ 



where the exponent 5s/ 12 (instead of s/2) reflects the lack of independence. In the computation 
of Table 2 we used s < 22 because of memory constraints. The table size is 

0(s3*/2) bits if the 

table is stored as a list to take advantage of sparsity. 
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r 


Q{i) 


2 




5 


, ,0 ,/i 

1 - 1 - + + 


9 


i-t + t^ + -t'' -t"^ + 

i-t+t''-t^-t^-t''+t<' + t^+t^ 


10 


i-t+t^ + + t'^ + 1^^ -f + t'-^ + 1^^ 


11 


^ T! 2 P 7- c n 

l-t + t^ -t-^ -t^ + t'' + -t^ + t^^ 


12 




13 


1 - t + + t3 + ^4 ^ ^5 + ^7 + ^9 _ ^11 _ ^12 ^ ^13 

1 _ t + t2 + ^3 + ^4 ^ ^5 _ ^8 _ ^9 _ ^11 _ ^12 ^ ^13 


14 


1 _ t + ^2 ^ ^3 _ ^4 _ ^ti _ ^ ^8 + ^9 _ ^11 ^ ^14 
1 + t + t3 - t4 _ ^5 + ^6 + ^7 + ^8 + ^9 _ ^11 + ^14 
1 - t - t2 + ^3 _ i5 + ^6 + ^7 _ ^8 _ ^9 + ^13 + ^14 
1 _ t _ t2 _ ^3 _ ^5 + ^7 + ^9 ^ ^10 _ ^11 + ^13 + ^14 
l-t-t2+i4_i6 + ^8+^9 + ^10+^ll+^13 + ^14 



Table 1: Exceptional Polynomials of degree r < 14 



r 




i/(r) 


r 




i^(r) 


1 








21 


79 


0.3923 


2 


1 


1.78 


22 


94 


0.4390 


3 








23 


231 


0.4837 


4 








24 


129 


0.4650 


5 


1 


0.70 


25 


428 


0.4388 


6 








26 


448 


0.4615 


7 








27 


883 


0.4964 


8 








28 


635 


0.4218 


9 


3 


0.83 


29 


1933 


0.4410 


10 


1 


0.30 


30 


1470 


0.4619 


11 


1 


0.13 


31 


4380 


0.4721 


12 


1 


0.22 


32 


3125 


0.4636 


13 


5 


0.33 


33 


7232 


0.4549 


14 


5 


0.37 


34 


8862 


0.4656 


15 


15 


0.62 


35 


18870 


0.4792 


16 


12 


0.58 


36 


10516 


0.4560 


17 


26 


0.45 


37 


40082 


0.4547 


18 


18 


0.41 


38 


39858 


0.4623 


19 


62 


0.53 


39 


75370 


0.4712 


20 


34 


0.45 


40 


54758 


0.4598 



Table 2: Number of Exceptional Polynomials 
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